From 64b78b5822f5c5410975dfab524c6f3ab09ad5ba Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Sun, 6 Oct 2024 16:29:30 -0500
Subject: [PATCH] Move pagination limit/page query param validation to
 middleware & check for positive integer

---
 client/components/app/BookShelfToolbar.vue |  2 -
 server/controllers/LibraryController.js    | 44 ++++++++++++----------
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/client/components/app/BookShelfToolbar.vue b/client/components/app/BookShelfToolbar.vue
index eabb5f74..04354c80 100644
--- a/client/components/app/BookShelfToolbar.vue
+++ b/client/components/app/BookShelfToolbar.vue
@@ -479,8 +479,6 @@ export default {
         })
     },
     async fetchAllAuthors() {
-      const authors = []
-
       // fetch all authors from the server, in the order that they are currently displayed
       const response = await this.$axios.$get(`/api/libraries/${this.currentLibraryId}/authors?sort=${this.settings.authorSortBy}&desc=${this.settings.authorSortDesc}`)
       return response.authors
diff --git a/server/controllers/LibraryController.js b/server/controllers/LibraryController.js
index 927f9a94..d1e2becb 100644
--- a/server/controllers/LibraryController.js
+++ b/server/controllers/LibraryController.js
@@ -493,8 +493,8 @@ class LibraryController {
     const payload = {
       results: [],
       total: undefined,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0,
+      limit: req.query.limit,
+      page: req.query.page,
       sortBy: req.query.sort,
       sortDesc: req.query.desc === '1',
       filterBy: req.query.filter,
@@ -504,13 +504,6 @@ class LibraryController {
       include: include.join(',')
     }
 
-    if (!Number.isInteger(payload.limit) || payload.limit < 0) {
-      return res.status(400).send('Invalid request. Limit must be a positive integer')
-    }
-    if (!Number.isInteger(payload.page) || payload.page < 0) {
-      return res.status(400).send('Invalid request. Page must be a positive integer')
-    }
-
     payload.offset = payload.page * payload.limit
 
     // TODO: Temporary way of handling collapse sub-series. Either remove feature or handle through sql queries
@@ -602,8 +595,8 @@ class LibraryController {
     const payload = {
       results: [],
       total: 0,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0,
+      limit: req.query.limit,
+      page: req.query.page,
       sortBy: req.query.sort,
       sortDesc: req.query.desc === '1',
       filterBy: req.query.filter,
@@ -674,8 +667,8 @@ class LibraryController {
     const payload = {
       results: [],
       total: 0,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0,
+      limit: req.query.limit,
+      page: req.query.page,
       sortBy: req.query.sort,
       sortDesc: req.query.desc === '1',
       filterBy: req.query.filter,
@@ -710,8 +703,8 @@ class LibraryController {
     const payload = {
       results: [],
       total: playlistsForUser.length,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0
+      limit: req.query.limit,
+      page: req.query.page
     }
 
     if (payload.limit) {
@@ -742,7 +735,7 @@ class LibraryController {
    * @param {Response} res
    */
   async getUserPersonalizedShelves(req, res) {
-    const limitPerShelf = req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) || 10 : 10
+    const limitPerShelf = req.query.limit || 10
     const include = (req.query.include || '')
       .split(',')
       .map((v) => v.trim().toLowerCase())
@@ -815,7 +808,7 @@ class LibraryController {
       return res.status(400).send('Invalid request. Query param "q" must be a string')
     }
 
-    const limit = req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 12
+    const limit = req.query.limit || 12
     const query = asciiOnlyToLowerCase(req.query.q.trim())
 
     const matches = await libraryItemFilters.search(req.user, req.library, query, limit)
@@ -873,7 +866,7 @@ class LibraryController {
    * @param {Response} res
    */
   async getAuthors(req, res) {
-    const isPaginated = req.query.limit && !isNaN(req.query.limit) && req.query.page && !isNaN(req.query.page)
+    const isPaginated = req.query.limit && !isNaN(req.query.limit) && !isNaN(req.query.page)
 
     const payload = {
       results: [],
@@ -1147,8 +1140,8 @@ class LibraryController {
 
     const payload = {
       episodes: [],
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0
+      limit: req.query.limit,
+      page: req.query.page
     }
 
     const offset = payload.page * payload.limit
@@ -1251,6 +1244,17 @@ class LibraryController {
       return res.status(404).send('Library not found')
     }
     req.library = library
+
+    // Ensure pagination query params are positive integers
+    for (const queryKey of ['limit', 'page']) {
+      if (req.query[queryKey] !== undefined) {
+        req.query[queryKey] = !isNaN(req.query[queryKey]) ? Number(req.query[queryKey]) : 0
+        if (!Number.isInteger(req.query[queryKey]) || req.query[queryKey] < 0) {
+          return res.status(400).send(`Invalid request. ${queryKey} must be a positive integer`)
+        }
+      }
+    }
+
     next()
   }
 }